External IP 185.247.137.206 conducted sustained multi-protocol reconnaissance targeting Oracle databases and industrial control systems over a 10-week period from February to April 2026. The campaign demonstrates medium-severity threat activity with 61 recorded events spanning database enumeration, …
IP address 185.247.137.238 conducted sustained reconnaissance targeting industrial control systems and database services over a 72-day period from February 12 to April 24, 2026. The threat actor employed multi-protocol scanning techniques including Siemens S7COMM, Oracle TNS, and Modbus protocols, i…
IP address 66.132.172.198 conducted a 24-day reconnaissance and exploitation campaign from March 24 to April 17, 2026, targeting industrial control systems (S7comm), SMB services, and network infrastructure across multiple protocols. The threat is assessed as LOW severity with 85% confidence, repres…
IP address 66.132.153.123 conducted automated reconnaissance against FortiGate appliances and industrial control systems over a 12-day period from March 4-16, 2026. This represents medium-severity preparatory activity for potential follow-on attacks against network security infrastructure and ICS en…
External IP 109.105.209.32 conducted sustained reconnaissance against industrial control systems over a 25-day period from March 14-April 8, 2026, targeting MODBUS protocols and other ICS infrastructure. This represents a MEDIUM threat with 85% confidence, indicating potential preparation for operat…
Romanian-based threat actor at 80.94.95.55 conducted extensive multi-protocol reconnaissance targeting RDP, ICS protocols, SSH, and VNC services over a 9-day period from March 29-April 7, 2026. The campaign generated 134,308 events with notable focus on industrial control systems (S7COMM protocol) a…
IP address 65.49.1.66 conducted sustained multi-protocol reconnaissance targeting industrial control systems, network infrastructure, and enterprise services over a 6-week period from February 25 to April 6, 2026. The activity demonstrates medium-risk threat behavior with 62 recorded events spanning…
A Windows-based threat actor operating from Romanian hosting provider Flyservers S.A. (141.98.83.86) conducted an intensive multi-protocol scanning campaign between March 29-April 4, 2026, generating over 94,000 malicious events targeting RDP, SSH, and industrial control systems. The activity repres…
Threat actor 185.103.110.159 conducted targeted reconnaissance and exploitation attempts against Industrial Control Systems (ICS) infrastructure between March 24-25, 2026, utilizing Modbus and S7comm protocols. The campaign demonstrates medium-severity threat activity with 76 recorded events focusi…
IP address 91.224.92.114 conducted 49 targeted attacks against industrial control systems between February 18, 2026 14:00 and March 16, 2026 10:00, primarily leveraging Siemens S7 communication protocols. This represents a MEDIUM threat level with moderate confidence, indicating potential reconnaiss…
External threat actor 66.132.172.102 conducted targeted reconnaissance against industrial control systems using Modbus protocol attacks between March 20-26, 2026, with 79 recorded events. This HIGH confidence threat demonstrates sophisticated capabilities targeting critical infrastructure with poten…
IP address 80.94.95.43 conducted targeted reconnaissance against industrial control systems (ICS) infrastructure over a 15-day period from March 10-25, 2026, generating 69 attack events primarily focused on S7comm protocol exploitation. This represents LOW-severity threat activity consistent with in…
Russian-origin IP address 81.29.142.6 conducted sustained multi-protocol reconnaissance targeting industrial control systems and enterprise services over a 40-day period from February 12 to March 24, 2026. Despite 468 recorded events across 11 protocols including EtherNet/IP, Modbus, and MQTT, the a…
Threat actor at 185.247.137.40 conducted reconnaissance scanning targeting industrial control systems over a 32-day period, specifically probing EtherNet/IP and Modbus protocols commonly used in operational technology environments. Assessment indicates LOW threat level with potential for escalation…
Critical industrial control system (ICS) reconnaissance activity detected from IP 167.94.138.194 on March 10, 2026 at 18:00 UTC, targeting Modbus and S7comm protocols with broadcast enumeration techniques. This represents HIGH-severity threat activity consistent with advanced persistent threat (APT…
A Netherlands-based IP address (160.119.76.49) conducted targeted reconnaissance against industrial control systems and IoT infrastructure on March 15, 2026, between 14:00-17:00 UTC. The activity included MQTT broker scanning and S7comm protocol probes, indicating potential targeting of critical inf…
Malicious actor at IP 13.89.125.30 conducted targeted reconnaissance against industrial control systems using Modbus protocol attacks on March 5, 2026. The activity demonstrates medium-severity threat behavior focused on device identification and potential system mapping of critical infrastructure. …
A US-based threat actor (152.32.148.140) conducted targeted attacks against industrial control systems and IoT infrastructure on March 10, 2026, employing Modbus protocol exploitation and MQTT reconnaissance techniques. The attacker demonstrates sophisticated knowledge of operational technology envi…
External threat actor from Lithuania (77.90.185.135) conducted targeted reconnaissance against industrial control systems using Siemens S7comm protocol, indicating potential APT activity focused on critical infrastructure. Assessed threat level: HIGH with 95% confidence based on specialized ICS att…
A US-based threat actor (3.131.220.121) conducted sustained reconnaissance against industrial control systems and network infrastructure over a 20-day period, employing Modbus protocol attacks and FortiGate device enumeration. The activity demonstrates HIGH threat level with 85% confidence, indicat…
Threat actor at IP 162.142.125.121 conducted targeted reconnaissance against industrial control systems between March 6-10, 2026, using specialized ICS protocols including S7comm and Modbus to enumerate device information. This HIGH-severity activity represents active intelligence gathering against…
A sophisticated threat actor operating from IP 109.105.209.17 (Zenlayer Inc/AS21859) conducted 75 targeted attacks against industrial control systems between March 10-12, 2026, utilizing Siemens S7 communication protocols. The attacker demonstrates advanced capabilities with a perfect AbuseIPDB mal…
Our sensors detected targeted reconnaissance activity against Industrial Control Systems (ICS) infrastructure from IP 185.247.137.110 (Leeds, GB) between February 23-March 11, 2026. The threat actor conducted EtherNet/IP and Modbus protocol enumeration attacks, indicating potential preparation for …
Threat actor operating from IP 167.94.146.58 conducted targeted reconnaissance against industrial control systems over a 21-day period, employing Siemens S7comm and Modbus protocols to probe critical infrastructure. The activity represents a MEDIUM threat level with potential for escalation to oper…
Threat actor operating from IP 150.107.38.251 conducted targeted reconnaissance against industrial control systems using BACnet protocol exploitation on March 13, 2026. This represents a HIGH severity threat given the focus on critical infrastructure and the actor's 100/100 AbuseIPDB reputation sco…